1. Field
The present inventive concept relates to an apparatus and method for providing a virtual private network (VPN) service based on mutual authentication, and more particularly, to an apparatus and method for providing a VPN service operating at an application layer having improved reliability.
2. Discussion of Related Art
In distributed enterprise environments, an exemplary approach for connecting a head office and branch offices includes establishing a network between the offices using leased lines or frame relays. However, this approach has a disadvantage in that the network line cost for building up the leased lines or frame relays is relatively expensive.
Therefore, virtual private network (VPN) technology, which employs a low cost Internet-based public network compared to the leased lines or frame relays, is being more widely used. The VPN is a technology that virtually establishes private communication networks by connecting the head office and remote terminals (branches) using existing public networks to ensure secure communications.
A related art VPN is typically operated at a transport layer and a network layer using a protocol such as Internet Protocol Security (IPSec), Secure Sockets Layer (SSL), and so on. However, this related art VPN is only operable at layers below the transport layer. As a result, network scalability (e.g., by additional relays) is difficult to achieve and client portability is decreased due to the high dependency upon hardware.
To overcome this disadvantage, a VPN scheme operating at an application layer has been proposed, in which a Secure Shell (SSH) protocol is employed. In a VPN operating at the application layer, a network may be scaled relatively easily, but only a simple path is provided when connecting via a relay server, and thus the reliability of the network is decreased. Also, when a hosted VPN service in which a plurality of VPN servers are connected to one relay server is provided, VPN services should be provided to several enterprises rather than just one enterprise, and thus problems may be caused by differing network security schemes, and collisions of internet protocol (IP) traffic may occur.
Korean Patent Application Publication No. 10-2006-0126952 discloses a primary protocol service which controls access of a client to a host service. A ticket agency transmits a first ticket and a second ticket to the client and the primary protocol service, respectively. The primary protocol service and the host service receiving the tickets can communicate with each other using a secondary protocol. Also, the primary protocol service can communicate with the client using a primary protocol encapsulated within the secondary protocol.
The primary protocol service and the client receiving the tickets from the ticket agency transmit and receive data through protocol encapsulation, thereby maintaining the data security and reliability. However, authentication of the client is implemented not by an active request of the client to the primary protocol service but by a selection of the ticket agency. Furthermore, there is no procedure for authentication of the host service. Thus, the reliability of a secure network between the client and the host service by the relaying of the primary protocol service may be decreased.